Skip to content

M1048 Application Isolation and Sandboxing

Restrict execution of code to a virtual environment on or in transit to an endpoint system.

Item Value
ID M1048
Version 1.1
Created 11 June 2019
Last Modified 31 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1189 Drive-by Compromise Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.43
enterprise T1611 Escape to Host Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. In Kubernetes environments, consider defining a Pod Security Policy that limits container access to host process namespaces, the host network, and the host file system.1
enterprise T1190 Exploit Public-Facing Application Application isolation will limit what other processes and system features the exploited target can access.
enterprise T1203 Exploitation for Client Execution Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. 4 3
enterprise T1212 Exploitation for Credential Access Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.3
enterprise T1211 Exploitation for Defense Evasion Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. 3
enterprise T1068 Exploitation for Privilege Escalation Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. 3
enterprise T1210 Exploitation of Remote Services Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. 3
enterprise T1559 Inter-Process Communication Ensure all COM alerts and Protected View are enabled.2
enterprise T1559.001 Component Object Model Ensure all COM alerts and Protected View are enabled.2
enterprise T1559.002 Dynamic Data Exchange Ensure Protected View is enabled.2
enterprise T1021 Remote Services -
enterprise T1021.003 Distributed Component Object Model Ensure all COM alerts and Protected View are enabled.2

References

Back to top